The BYOD horse is out of the barn: Implementing the right mobile policy for your organization

Part 1 of this series discussed how the proliferation of mobile devices at home and in the workplace results in new risks that today’s modern in house counsel must understand and address. Part 2 explained the legal and financial risks in more detail, as well as some of the consequences of not proactively guarding against those risks. In this final part of the series, I’ll provide a framework for implementing the right mobile policy for your organization.

People, policies & technology

The good news is that many of the risks and challenges presented by the proliferation of mobile devices into the workplace can be mitigated with proper planning. Three key components of a good mobile device plan include identifying the right people, creating and enforcing the right policies and implementing the right technology. Key elements of each of these areas are discussed below.

People

The creation of good internal mobile policies and procedures begins by including the right stakeholders in the policy-making process. Internal stakeholders will likely include representatives from information technology (IT), finance, legal, compliance, security, human resources, sales and other departments. External stakeholders might include outside counsel, business partners and technology consultants who may interact with company data and/or have experience addressing legal and technology issues related to mobile devices. The benefit of including diverse internal and external stakeholders is that each is likely to provide a unique and important perspective.

Although including every stakeholder in early discussions is not necessary, failure to include key people in discussions before finalizing policy decisions is a costly but common mistake. The risks and benefits of a particular policy decision cannot be comprehensively identified or measured without including the right stakeholders in the discussion. While it can be challenging, resist the urge to make important policy decisions without soliciting input from a broad group of stakeholders. You are likely to uncover issues that may have otherwise been overlooked and you are much more likely to build the organizational support required for success.

Policies

Once the key stakeholders are assembled, the risks and benefits of implementing a particular policy should be discussed. A threshold question may be whether or not the organization should allow employees to use mobile devices for both personal and business purposes. If the answer is yes, then the discussion might turn to whether devices should be purchased and owned by the employer or employee as part of a bring your own device (BYOD) policy.

When evaluating whether to implement a BYOD or an employer-owned mobile device policy, stakeholders should begin by evaluating the pros and cons of each approach. Some of questions that should be considered are listed below:

Will a BYOD policy save the organization money? If so, how much?

Is worker productivity likely to increase, decrease or stay the same?

Will a BYOD policy introduce new risks?

Increased risk of data loss or theft?

New e-discovery or regulatory compliance challenges?

Increased data privacy and ownership disputes with employees?

Careful consideration of these and other questions will serve as a starting point for understanding some of the unique risks and benefits associated with mobile device use within your organization. However, stakeholders cannot make informed decisions without first quantifying the risks and benefits.

Quantifying risks and benefits

If an organization estimates it could save $1 million dollars by implementing a BYOD policy, that estimate should be balanced against the potential risks of implementation. A risk assessment might consider some of the following questions:

What are some of the “bad” things that can happen and what is the likelihood of them happening?

What are the reputational and financial costs to the organization if something bad happens?

How can the risk of something bad happening be mitigated?

This last step is crucial since reducing or eliminating a perceived risk can shift the risk/benefit analysis considerably. Not surprisingly, a good risk mitigation strategy will become the backbone of the final mobile policy. Examples of factors that should be considered as part of a risk mitigation analysis include the following:

Can risk be reduced by requiring employees to sign agreements or acknowledgements covering some of the areas listed below?

Device and content ownership pre- and post-termination

Who is responsible for replacement and/or upgrade costs?

Who pays the services contract?

Are there usage restrictions/prohibitions?

Illegal activity, website/download restrictions, driving/texting?

Are there employer liability limitations? Insurance coverage?

Written policies combined with ongoing monitoring, training and enforcement are critical components of a good mobile strategy. Equally critical is the use of technology to streamline your organization’s mobile strategy which is discussed in the next section.

Technology

A blind spot for many lawyers is the tendency to focus on crafting written policies to mitigate risk without giving much thought to the importance of implementing the right technology. Organizations without mobile security technology are often forced to draft strict written policies that are difficult to enforce. On the other hand, deploying the right suite of mobile security technology can provide organizations with the flexibility to implement enforceable policies that enhance security without unnecessarily sacrificing worker productivity, privacy interests and employee morale.

For example, prohibiting employees from using mobile devices for personal use is a strict and seemingly simple policy, but it comes with enforcement challenges. Assume one objective of such a policy is to increase worker productivity by restricting employee access to distracting apps like Facebook, Twitter or Candy Crush. Another objective might be to secure important employer data by prohibiting employees from downloading apps or visiting websites that have not been tested for malware. Simply stated, these objectives are unenforceable without modern mobile technology.

Additionally, a policy prohibiting the personal use of devices in the workplace is also likely to have a cultural impact on employee morale, or worse yet, the bottom line. Today, people are accustomed to anytime/anywhere access to their technology and the line between personal and business life has become blurred more than ever before. Not only do employees expect the freedom to address personal matters at work without being required to switch between employee and employer devices, they also want the same flexibility outside of their normal 9 to 5 workdays. Implementing a policy that denies this kind of flexibility is likely difficult to enforce and could even lead to diminished employee productivity, morale and loyalty.

The good news is that advancements in mobile technology are making it easier to achieve the kind of mobile work/life balance employees expect without forcing employers to make unrealistic data security and economic sacrifices. That is because mobile application management technology provides the ability to segregate employer and employee data on the same device. This functionality, often referred to as “app wrapping”, is especially important for employers who want to reap the financial benefits of implementing a BYOD policy without inviting privacy disputes with employees. It is also important for employees who want to shield access to private information on their devices from their employers.

The secret is that mobile application management software allows organizations to manage information on the application level rather than the device level. That means IT administrators can remotely wipe company data from lost or stolen devices, or upon employee separation, and leave an employee’s personal data untouched.

Mobile technology is evolving rapidly and the granular features offered by solution providers are confusing. Attorneys who lack a strong technical background should avoid getting mired in details better left for the IT department, but that does not mean technology decisions should be abdicated. Instead, the legal department should communicate areas of legal risk to other stakeholders and ask questions to find out if existing or proposed mobile solutions address those risks. High risk areas related to mobile security that the legal department should evaluate include intellectual property protection, regulatory compliance, e-discovery, investigations and data privacy to name a few.

Today organizations have many choices when it comes to mobile security technology and the market is growing. One option is to purchase multiple point solutions for each area of vulnerability such as email, web browsing and app security. Another option is to invest in technologies that offer a portfolio of integrated solutions that address all critical areas of vulnerability across multiple devices and operating systems (i.e. Microsoft, iOS, Android). Although a point solution strategy may work for smaller organizations, larger enterprises should consider a longer term strategy that does not require the expense and inefficiencies that come with supporting multiple products.

Conclusion

Striking the proper balance between security, productivity and privacy is the key to establishing a successful mobile device policy. This balance cannot be achieved without involving the right stakeholders and without understanding how mobile technology can be used to influence written policies that may otherwise be difficult to enforce. The BYOD horse may have already left the barn, but it is not too late to create or update your mobile policy to reflect the changing needs of your organization and the rapid expansion of mobile technology in the workplace.